In the BAS web console expand Policy.
Manage Policy (or create a new one for testing)
Choose the policy to manage
Click "View complete IT Policy"
Under the TLS Application tab Click "edit It Policy"
Change "TLS Device Side Only" to "YES"
Resend the IT policy to the user and then they are good.

This will allow you to change the setting on just a few users that need to get to an internal site that is giving them the error here: